In security, when you think of the term 'asset', where does your head go? Chances are, you're thinking of employee laptops and bare-metal servers on-premise or in a colocation facility. The brains of some folks in the industry will even go as far as to include virtual machines.
But, what about your users, code repositories, ephemeral cloud workloads, vulnerability findings, firewall rules, SaaS applications, aren't those assets as well?
Back in the '90s, '00's, and even into the 2010s, the traditional mindset of an asset was fine. The crown jewels of your company, i.e., your customer data, was protected behind the castle moat and walls, i.e, your corporate network with a VPN tunnel into the production datacenter.
In 2021, your customer data likely lives on employee laptops, in the dozens of SaaS applications used by your organization, and within the public cloud in the form of numerous data stores - databases, disks, storage buckets, etc.
The attack surfaces and threat vectors that advanced persistent threats are continuously trying to compromise have grown exponentially.
All of this to say: the definition of what an 'asset' is, and what asset discovery, visibility, and governance mean, needs a serious revamp to bring it into the present cybersecurity world we exist in.
Let's run through a handful of common security use cases where 'asset visibility' is seminal.
IAM and entitlement management
To manage logical access across your environment, whether it's physical devices, SaaS applications, user identities, user accounts, user groups, user roles, access policies, permissions to cloud services, etc., you need a solution that considers all of the facets of IAM. From access to entitlement tracking, considering the context of an identity asset in relation to other cyber assets allows you to understand, in depth, the access control structure and ever changing risk profile of your environment. In addition to access and authorization, tracking identity scope creep is a real concern as the ephemeral nature of cyber assets means rapid changes in the access model.
Incident response
Having visibility of your assets plays a huge role in saving your detection/response team time in triaging incidents; knowing the affected resource's attack surface - the logical access, the related networking, the data in jeopardy - is invaluable for prioritizing true risk for your team's finite bandwidth to cut through the voluminous and noisy signals (alert fatigue). Daily incident response preparation also requires a deep understanding of asset details. Table top exercises, threat modeling, and daily risk monitoring are all activities within the scope of the incident response team. Managing your cyber asset base gives you the context to provide depth of detail that you couldn't before.
CSPM
Visibility is required into your cloud environments, especially so if you're deployed across multiple cloud providers and/or have a hybrid environment with on-prem assets. Understanding the relationships that exist between compute infrastructure, the different permissions that exist between virtualized components, and the software-defined virtualized networking architecture, are just the tip of the iceberg to truly having a grasp on the governance and management of your cloud resources.
Compliance
With visibility across both the breadth and depth of your environment, it becomes much more trivial of an effort to demonstrate security compliance to internal and external stakeholders. The major benefits of tying visibility into compliance include:
- Automated, programmatic evidence collection for audits (no more downloading spreadsheets, images, PDFs, and manually uploading them into a document repository)
- True continuous compliance monitoring with automated remediation triggers/workflows (as opposed to the point-in-time annual audit)
- Automated mapping across multiple compliance and regulatory frameworks with the idea of "audit once, (re)use many times" for all of your different audits.
Assets management and visibility
At JupiterOne, we're working hard to educate the security industry on not just the importance of how we should be defining an "asset", but also how cyber asset visibility, governance, and management, play such a critical role in helping organizations manage their everyday security challenges. Whether it's monitoring access, securing the cloud, managing compliance, we consider asset visibility to be the foundational building blocks to a well-run security program.
What you can do right now
In the current security reporting environments, where there is alert fatigue due to excess volume and noisiness of signal, not all findings equate to risk. It's through the systematic interrogation of our cyber environments and by connecting all of the disparate cyber assets, that we are able to identify true business risks and the who, what, where, when, and how to take corrective action.
We invite you to run your own queries on JupiterOne. Our basic platform is free. This is not a "trial" version, there is no expiration. Our hope is that you will see immediate value as you begin to surface your cyber assets and be able to determine your highest security priorities through the query refinement process.
If you have questions or comments, I monitor our slack channel daily, and look forward to hearing from you.
Resources for this article
- Over 400 per-built JupiterOne Queries in the "Ask Me" library
- JupiterOne GitHub Repository
- JupiterOne Slack
- JupiterOne Platform (free, lifetime account) to explore your own queries and integrations
